CVE-2025-68843

Vulnerability

Overview

CVE-2025-68843 is a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin FeedWordPress Advanced Filters (faf), affecting versions from n/a through 0.6.2. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into a response [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link or form that, when clicked or submitted by a privileged user (such as an administrator), causes the injected script to execute in the context of the victim's browser session. No authentication is required to initiate the attack, but user interaction is necessary for successful exploitation [1].

Impact

Successful exploitation could allow an attacker to perform actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing session cookies. This can lead to further compromise of the WordPress site and its users [1].

Mitigation

The vendor has not yet released an official patch, but Patchstack has provided a mitigation rules available to block attacks until a fix is applied. Users are advised to update the plugin as soon as a patched version becomes available, or contact their hosting provider for assistance [1].